Suspect Software

Belarus confirms software work for U.S. medical and insurance companies

Software developed in the former Soviet state of Belarus is part of networks used by U.S. medical and insurance companies that are now part of President Barack Obama’s health care reform program, according to a senior official of a government technology park in Minsk.

However, Alexander Martinkevich, deputy director of Belarus’ High Technologies Park (HTP), said no Belarusian software companies took part in developing the Healthcare.gov system. "If we did, it would work from the first day of its launch," Martinkevich said in an email.

The comments by the Belarusian official contradict statements by Obama administration officials who have said no foreign software companies took part in developing the Healthcare.gov network.

The system was developed at a cost of more than $400 million, and it was plagued with functionality problems since the online launch Oct. 1. The software links some 300 U.S. insurance and health care providers to the federal government and an estimated 3 million Americans who have signed up for Obamacare online since Oct. 1.

Security concerns about foreign software and possibly malicious code from Belarus were raised inside the U.S. government last month. The Minsk government is viewed as an anti-U.S. dictatorship and a close ally of Russia. In February 2013, a security-monitoring firm detected the diversion of large amounts of U.S. Internet traffic to Belarus, compounding cyber attack worries from that country.

Martinkevich made the comments in response to questions posed by the Washington Free Beacon to HTP director, Valery Tsepkalo.

Tsepkalo told a Russian radio program in June that one of "our clients" was the Department of Health and Human Services and that "we are helping Obama complete his insurance reform."

"Our programmers wrote the program that appears on the monitors in all hospitals and all insurance companies—they will see the full profile of the given patient," Tsepkalo told Voice of Russia Radio June 25.

The comments prompted the U.S. intelligence warning that malicious software from Belarus may have been implanted by state-controlled software engineers in Belarus, making the Healthcare.gov software vulnerable to cyber attack.

In a statement, Peters said consumers who fill out online Healthcare.gov applications "can trust that the information that they are providing is protected by stringent security standards."

Security tests are conducted regularly and monitoring for malicious software and cyber attacks is continuous, she said.

"To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site," she said.

She repeated an earlier statement that after learning of the intelligence warning of Belarus malware, HHS conducted a review of the software to find out if any code was written in Belarus.

"HHS has found no indications that any software was developed in Belarus," Peters said. "Further, CGI, the primary contractor on the project, has asserted in a statement to HHS that that all code was developed in the U.S."

Security officials said the link to Belarus poses a risk because programmers under Minsk state control could have installed malicious software capable of hijacking U.S. private data to foreign locations. There also are concerns that malware could be used to place "back door" access points in the Healthcare.gov software that would allow remote access to networks.

The illicit access could potentially facilitate the theft of personal data of Americans, or pose a risk of identity theft, the officials said.

The HHS was urged late last month to conduct software checks for malicious code in Healthcare.gov. The network software is currently in use in all U.S. medical facilities and insurance companies.

Any covert software in the system, combined with Belarus’ capability to re-route U.S. Internet traffic, poses a potential threat of cyber attacks, the officials said.

After the Free Beacon disclosed the potential malware threat, the White House said an intelligence report outlining the concerns was recalled. However, senior U.S. intelligence officials testified to Congress that they were unaware of the report or its recall.

Caitlin Hayden, a White House National Security Council spokeswoman, told the Free Beacon last week that officials conducted a review of Obamacare software based on the report, but did not find malware from Belarus.

She said security reviews were continuing over concerns of potential breaches in "supply chain" security that remains a key worry.

A spokesman for the office of the Director of National Intelligence said the intelligence report was produced by the CIA-based Open Source Center and withdrawn because it was not properly vetted. The spokesman, Shawn Turner, denied that the report was withdrawn as a result of "politicization"—the suppressing or skewing of intelligence to support policies.

Tsepkalo did not respond to an email asking him to clarify the comments about HHS being a client, or to identify the Belarus-origin software he said was currently used by all U.S. medical and insurance facilities.

"Belarus Hi-Tech Park administration expresses its surprise by [the] free interpretation of facts given by journalists from Freebeacon.com and Svaboda.org concerning the software allegedly developed in Belarus," the statement said. "Even more surprising is the fact that the publications triggered further politically-driven remarks."

According to the statement, Tsepkalo’s comments to the Russian radio did not include "a single word about the Healthcare.gov project."

Instead, Tsepkalo said "some of Belarus Hi-Tech Park residents were involved in implementation of a number of [information technology] projects for medical and insurance institutions which participated in the U.S. healthcare system reform," the statement said.

Internal and external security audits are conducted "if there are any concerns about specific issues," the statement said.

"System vulnerability to cyber attacks is, therefore, determined by the professionalism of the parties involved and not by the geographical location of programmers," the statement said.

Resident companies at HTP include IBM, Microsoft, Oracle, Hewlett-Packard, Cisco, and other international firms.

Additionally, HTP companies have worked with American partners to "deliver many complex and innovative projects around the world, including in the U.S. and in the [European Union]."

The tech companies in Belarus "are proud of the cooperation with their U.S. partners," the statement said.

The statement concluded that "to the best of our knowledge" no Belarus tech companies have raised issues of concern related to malware implantation, and as a result reports on the matter were politically motivated.

In response to questions posed to Tsepkalo, Martinkevich said "we clearly stated what [the] director of HTP had meant in his interview: We didn’t develop Healthcare.gov website."

"We do not want to be involved in any political discussions since we are on the business side," he said. "We respect the American president’s efforts to build a new healthcare system."

Additionally, Martinkevich said: "We do not want to harm our companies and their American partners, including big software companies, and undermine their position on the by further speculations about ‘tabs or hidden opportunities,’ or ‘malicious code that could be used for cyber attacks.’"